Archive for the ‘Cyber, Privacy, & Security’ Category

As we recently posted, California recently passed the landmark California Consumer Privacy Act of 2018 (“CCPA”) that goes into effect on January 1, 2020 and grants California residents new expansive privacy rights. Many observers are comparing its scope to that of the European Union’s General Data Protection Regulation (“GDPR”). However, as protective as the new statute may be for California residents, it represents a number of significant burdens and challenges for businesses throughout the country.

Unknown Final Requirements

Despite what appears to be a finalized bill, future amendments and clarifications to the CCPA are necessary and will likely significantly alter the current draft. The CCPA was enacted after a single week of legislative debate. The reasons for the quick turnaround can be debated but the current draft contains a number of errors that will need to be addressed before its effective date on January 1, 2020. The uncertainty surrounding the bill means that businesses attempting to be proactive in terms of compliance may be throwing darts in the dark.

Attorney General Regulations

Additionally, the bill instructs the California Attorney General to develop regulations ahead of the effective data in a number of areas to further the purposes of the CCPA. While its arguable whether this will provide greater protections to consumers, it will undoubtedly come at the burden of those businesses covered by the CCPA. At this time these specific AG regulations are unknown and with an upcoming election, there is no guarantee we will know what these regulations will be until late next year before implementation.

Compliance Burn Out

As we all know, the GDPR went into effect on May 25, 2018. Most companies have spent the last year conducting data flow analysis, mapping, and regulatory compliance in order to come into compliance prior to the effective date. According to an October 2017 survey by Paul Hastings LLP, the cost of GDPR compliance for Fortune 500 firms runs approximately $1 million just for the necessary technology that those companies need to comply.

Unfortunately for all of those companies that spent the last 12 to 18 months traversing GDPR compliance, you will not automatically be complying with the CCPA. The CCPA requirements, while similar, do not entirely overlap with the GDPR and, in many cases, the CCPA goes even further than the GDPR. All those companies will now need to engage in an additional 18 months of legal compliance reviews in anticipation of the January 1, 2020 implementation date.

The scope of the CCPA affects businesses across the country, not just those in California. The CCPA protections generally encompasses all retail and commercial activity that includes the collection of data relating to a resident of California which retained, sold or transferred by the business. While the CCPA contains numerous exemptions of data use and functionality these exceptions require close scrutiny and analysis by covered businesses. To discuss how the CCPA might affect your business and what you can do in anticipation of the numerous issues relating to the act, please contact Jonathan Romvary at [email protected].

California has passed a sweeping data privacy law that will result in dramatic changes to how businesses in the state handle consumer data. AB 375, which will take effect on January 1, 2020, grants consumers more control over and insight into the dissemination of personal information, but imposes significant obligations on certain businesses in order to achieve those goals.

The law will apply to any California business that: (1) has an annual gross revenue over $25 million; or (2) alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

The new legislation is similar in nature to the European Union’s General Data Protection Regulation (GDPR) and is intended to provide residents of California the most comprehensive consumer privacy rights in the country. To that end, AB 375 requires covered businesses to give California residents:

The right to seek disclosure of any personal information collected by the business, up to twice a year;

The right to be informed of what categories of data will be collected, prior to its collection, and to be informed of any changes to this collection;

The right to request deletion of information collected by the business;

The right to opt-out of the sale of personal information;

Mandated opt-in before the sale of a minor’s information;

Protection of consumer data through reasonable security procedures and practices.

Additionally, one of the most significant aspects of the law creates a private right of action for any consumer for data breaches, without the requirement that the consumer prove injury before being awarded damages. The law provides, “any consumer whose nonencrypted or nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be subject to a civil lawsuit. A consumer would be entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater), plus injunctive or declaratory or other relief.

While AB 375 does not take effect until 2020, California businesses should begin the process of reviewing these new complex requirements and evaluating the applicability of the regulations to its operations. Specifically, businesses should begin to assess the types and scope of data it currently collects (and has collected and stored in the past) that may be covered by the law. Moreover, organizations should minimize their exposure in handling personal data, keeping only the data directly necessary for business and legal needs.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

Increasingly sophisticated hackers have targeted personal and business data held by companies like Target Corp., Sony Corp., Equifax Inc. and Yahoo Inc. during the past decade. The construction industry is just as susceptible to these risks as any other industry. As construction projects increase in size and there is more sharing of data related to buildings and projects, and as more of that sharing becomes electronic, cyberrisks increase as well.

Contractors and their business partners hold personal information about their clients and employees, and they are increasingly using more electronic means to exchange data and survey construction projects. A significant threat for companies in the construction industry comes from the open and increasingly connected network between those in charge of a project and their various subcontractors and business partners, who need swift and seamless access to plans and other sensitive data to do their part of the work.

Many companies in the construction industry assume that since they have policies that cover losses stemming from physical and property damage, any infiltration into their systems that result in the loss of access to sensitive information is covered by such insurance. However, most commercial general liability policies carve out cyberthreats from coverage. While contractors can still make claims under more traditional policies and may find that some of their losses are covered, relying solely on these protections may be dangerous and result in uncovered losses.

Specialized cyberinsurance can fill in the gaps left by commercial general liability policies that do not account for losses caused by damage to virtual information systems, and ensure that any damages, injuries or delay caused by downstream contractors or business partners are covered as well. Once policies are in place, contractors need to revisit them regularly to account for changes in the cyberthreat landscape as they relate to the construction industry.

If you have any questions or would like more information, please contact Barry Brownstein at[email protected].

The Eleventh Circuit recently held that an insured could not recover $10.7 million in losses under a computer fraud policy covering losses “resulting directly from” the use of a computer to fraudulently cause a transfer of funds.

In Interactive Communs. Int’l, Inc. v. Great Am. Ins. Co., 2018 U.S. App. LEXIS 12410 (11th Cir. May 10, 2018), the Eleventh Circuit held that, under Georgia law, “one thing results ‘directly’ from another if it follows straightaway, immediately, and without any intervention or interruption.” Id. at *12. In doing so, the Eleventh Circuit rejected the insured’s argument that “resulting directly from” means proximate cause, and that the mere fact that computer fraud set into motion a chain of events that led to the insured’s loss was sufficient to establish coverage. Because there were several steps between the computer fraud (fraudulently redeeming same debit card “chits” multiple times) and the loss sustained when money was transferred from a bank account controlled by the insured to a merchant to cover the fraudster’s debit card purchase, and there was a lack of immediacy between the computer fraud and the loss, the Eleventh Circuit held that the insured’s loss did not “result directly from” computer fraud. Id. at *14-15.

A growing number of courts around the country likewise have held that “resulting directly from” and similar language in computer fraud, funds transfer fraud and similar computer crime policies requires an immediate link between the covered event and the loss. However, courts in some jurisdictions, including New Jersey, Pennsylvania and Ohio, have held that such language only requires that the covered event be a proximate cause of the loss. Insurers reviewing claims under computer fraud, funds transfer fraud and similar computer crime policies requiring that a loss “result directly from” a covered event (or similar language) should confer with coverage counsel regarding whether the relevant jurisdiction requires an immediate link between the covered event and the loss and (if so) whether the circumstances of the claim satisfy this requirement.

If you have any questions or would like more information, please contact Bill Buechner at [email protected].

At the end of April, the U.S. Supreme Court accepted a certiorari petition in the case Frank v. Gaos, No. 17-961, 2018 WL 324121 (U.S. Apr. 30, 2018). The Supreme Court will determine if a class-action settlement involving Google met federal law requirements when $5.3 million of the $8.5 million settlement fund was given to outside groups. The question presented: “Whether, or in what circumstances, a cy pres award of class action proceeds that provides no direct relief to class members supports class certification and comports with the requirement that a settlement binding class member must be ‘fair, reasonable, and adequate.’”

Cy pres is a doctrine where the original objective of the settlor or testator becomes impracticable, impossible and in some instances illegal to perform. Cy pres allows the Court to alter terms of the charitable trust to get as close to the original intention of the testator or settlor as to allow the trust to remain and not flounder.

The core issue in this case is whether this settlement complied with Rule 23(e)(2) which sets the requirement that proposed class action settlements be “fair, reasonable and adequate.” In certain class action situations, funds can be unclaimed when the members claims are small or the process is difficult. To prevent the unclaimed amounts from entering the defendant’s pocket, the money can be directed to other causes, charities and foundations.

Here, the class action stems from allegations that web browsers disclosed Google searches to third-party websites. Three of the named plaintiffs received $15,000 incentive awards, and the rest of the class received nothing. The cy pres award was allegedly given to organizations who promised to use the money to protect internet privacy. The cy pres recipients included: World Privacy Forum; Carnegie Mellon University; the Center for Information, Society and Policy at Chicago-Kent College of Law; the Berkman Center for Internet and Society at Harvard University; the Stanford Center for Internet and Society; and AARP. According to the cert petition, class members that were absent received “no relief at all in exchange for their claims—no money, no alteration of the defendant’s allegedly injurious conduct, not even coupons.”

The implications of this decision and how settlement funds are distributed particularly in class actions can be huge. Class actions span from internet privacy to self-driving cars to the on-going tobacco litigation. For now, we wait and see.

If you have any questions or would like more information, please contact Samantha Skolnick at [email protected].